1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting malicious modules.
2. Description of the Background Art
A module is an executable file that serves as a shared library of functions. The codes of the functions are grouped together in the module file. A module advantageously allows a process to call a function that is not part of the process' program code. A dynamic-link library (DLL) is a commonly known module employed in operating systems, such as the Microsoft Windows™ operating system. Dynamic linking allows a process to call a function whose program code is in a separate DLL file. The DLL contains one or more functions that are compiled, linked, and stored separately from the processes that use them. Multiple applications can simultaneously access the contents of a single copy of a DLL in memory.
While DLLs facilitate the sharing of data and resources, they pose a computer security issue in that malicious code writers may use DLLs to hide malicious codes (e.g., computer viruses) in legitimate processes. One method used by malicious code writers is to inject or load a malicious DLL on a legitimate process. This method is referred to as DLL injection, which can be though of as malicious code piggy-backing on a legitimate process.
DLL injection provides several advantages to malicious code writers. First, DLL injection is a good way to hide a running malicious code. Malicious code running separately as a stand-alone process generally stands out and is thus readily detectable. An experienced system administrator using commonly available process enumeration tools (e.g., Windows™ operating system's TaskManager, ProcessExplorer, etc.) could readily identify and terminate suspicious malicious processes.
Second, DLL injection offers superior protection from clean-up. Once injected on a running process, malicious DLL is very difficult to unload or remove from its host process. Forced unloading of injected DLL could cause instability on the host process. A relatively easy and safe way to remove an injected DLL is to terminate the host process. However, there are critical processes (e.g. Winlogon.exe, Smss.EXE, Svchost.exe, etc. in Windows™ operating system) that cannot be terminated without incurring instability on the entire operating system.
Third, DLL injection on a process of a trusted application (e.g., web browser programs, utility programs, etc) allows the malicious code to inherit the trust normally given the trusted application. For example, malicious DLL may be injected inside a web browser process (e.g. Internet Explorer™ or Fire Fox™ web browser). The injected malicious code could then easily connect to a remote and malicious web server without incurring suspicion or alarm from a firewall or intrusion detection system (IDS). This is made possible by the DLL injection being done under the context of the usually trusted web browser process.